Originally published on CUInsight.com
Privacy. Buzzword doesn’t even begin to describe it. You discuss it in your board meetings. It’s mentioned ad nauseam on news stories at every level.
It played a major role during the coronavirus pandemic. Conflicts between the right to privacy and informing fellow workers of infected persons raised a lot of ire.
Tracking exposed people using anonymous phone location data built maps where we could watch the virus spread. Was that a public health requirement or privacy violation? Or both?
And now, with Apple and Google having built an Exposure Notification API, everyone’s devices could help us know when you’re exposed. Are there privacy implications? You bet. That’s why they listened to get it right.
Too bad our national and local governments mostly passed up using the tech to help save lives…because of the privacy issues out there, this wasn’t the “hill to die on”.
We debate the details of privacy and what it means with respect to national security, crime, and business. In fact, privacy is a topic of discussion in nearly every area of life.
Yet why do we seem to have less of it than ever before?
This post will look at what privacy means for your credit union, your members, and how its perception evolves over time.
You’ve Been Logged
Of course, you’ve already been logged. “Let me count the ways…” Where do we even start?
For the more mundane, we’ve got cookies in your web browser. They help sites recognize you upon your return. This is what lets you “stay logged in” on Gmail or any other service.
We’ll get to the more interesting systems later.
Tracking for Good
Tracking isn’t inherently bad. You can’t personalize if you don’t have any knowledge on who is doing what. The key is to embrace your data to improve your experiences without getting creepy.
From your standpoint, cookies are a fun tool. They can be used to remember members upon their return to your site. United Texas CU embraces this with their full-page assistant.
You can take it even further by proactively offering assistance based on their previous visit actions. If a member visited your Checking page before, display your account options on the homepage.
The same can be done with Auto Loans, where you display your Car Buying Service and your “as low as” rate.
In a way, members feel recognized and appreciated. It’s not creepy and helps everyone. Think of it like the Recommended Items on your Amazon homepage.
There’s also 3rd party cookies, which follow you around the internet and are not in the same category at all. We look at those below.
Did you know that in 2019, there was a 31% drop in average annual number of overdrafts per account? Unfortunately, it’s not because people suddenly had more money. Or that they could avoid overdrawing their accounts.
It’s been attributed, at least in part, to proactive account alerts: Push notifications from the banking app to warn on low balance. Does your app do that? Because others do it with a lot of style.
On one side, it will cost money to implement and reduce fee income. However, I believe the credit union mission demands it. There are a lot of other ways to grow revenues that don’t involve punishing those already least able to afford it.
From your member’s perspective, you are providing a helpful service that assists them in better managing their available funds. And saves money. Plus, it can be part of a financial literacy effort. If nothing else, it’s financial empowerment.
Some of the big banks have digital assistants in their apps to give additional insights. For example, Bank of America has Erica (Get it? Brilliant, right?).
You can ask Erica questions by text or voice, both using natural language. For example, you can say, “how much did I spend on groceries this month?” Or, “what are my recurring charges?”
Helping members get a better view on their money (and take actions on it) will keep you from becoming a “dumb bank”.
Tracking You May Not Know About
With our smartphones comes an impressive array of sensors and software systems. Put together, they can learn an insane amount of information about you.
We’ll talk about them, but there’s also other personal information you’re giving up without even realizing. Some you can restrict. Most you can’t (though Apple’s new App Tracking Transparency will give you lots more control).
Your phone has GPS. So it knows where it is in the world. That means your cell phone provider also knows. Granted, it needs to so it can choose which tower to use (for rough location, they’ve always known).
With apps, you can choose to allow them to access that location information. It’s helpful to find ATMs, use maps, or any of millions of other functions.
Did you know you can restrict this access? Your phone lets you choose whether the app can access your location at all, while it’s open, or always (yes, even when it’s not active at all).
For example, Bank of America asks for Always location access to match your phone’s location with card purchases. If your card is in Sacramento and you’re in Boston, there might be a problem.
Many apps ask for your location to sell that data to advertisers. You didn’t think that amazing game was free free, right?
Find your phone’s location privacy settings (iPhone: Settings/Privacy/Location Services). Lock it down as much as you can while still allowing desired functionality.
I recommend turning off “Precise Location” on any apps that don’t need to know where you are to the foot. If you must leave location on for Facebook, this is the setting to use.
GPS is your primary location system on phones, but it’s not the only one. Bluetooth does more than connect to your headphones. It is a form of precise location as well.
This is done in two ways:
- Detection of Bluetooth beacons installed in the environment around you
- Example: In a clothing store, when their app is open, it may use these beacons to offer section-specific coupons.
- Looking at every Bluetooth device around you and their signal strength or change over time
- This is how Apple Maps determines traffic. Your iPhone listens for every other iPhone’s Bluetooth signal as you’re driving along. When it detects the GPS speed is slow and also many other iPhones, that’s a good indicator of traffic.
COVID-19 Exposure Notification API
Who knew when I wrote this that there would be a global use of Bluetooth tracking? Well, there is. Apple & Google partnered to build a COVID-19 Exposure Notification API. With it, phones use Bluetooth to look at nearby devices.
While preserving privacy, your phone will monitor other Bluetooth devices nearby, behaving similarly to the traffic tracking. It will look at signal strength to determine distance (instead of speed). This gets anonymized and sent to their servers.
Public health authorities and individual users will mark people who have tested positive. Then, the system will match that device’s identifier to all those who were in proximity. Each of them receive a notification they may have been exposed.
It’s already on your phone. Even though it’s really a bit late, there is still time to demand your national and state governments build apps to “light it up”. Without exaggeration, it will save lives.
Other Bluetooth Uses
To address the issue of apps (like Facebook) using this Bluetooth data to get location information on you, even when you had Location Access off, Apple made apps get permission to use Bluetooth.
It’s another section in Privacy on your iPhone. Check it. Turn off those which aren’t using devices or services (while leaving it on for apps like Tile, which use it in the background to help others find their stuff).
There’s a whole lot more we can discuss on the topic of location data from phones/watches:
- The accelerometer knows how and where it’s being held/carried
- The gyroscope can detect how it moves in an environment
- In theory, this data can show limps, desired accessories (purses, pockets, etc.), activity levels, or other potential health characteristics
Yeah, it gets a little nuts. But it’s happening. My main advice here? Only install apps from companies you generally trust and keep access permissions as low as possible while preserving app functionality.
There’s a reason the Privacy section of your iPhone has categories beyond Location. Apps can collect an enormous amount of data from users, some without their knowledge (hence why there’s so many privacy sections).
This can include contact lists (known good e-mails, addresses, and phone numbers), recordings from around you (yes, some apps really are listening!), photos or camera, and more. Each requires permission.
For your financial institution, you don’t have to worry about this from your app. However, it’s good to know what’s possible. In some way, you might wish to use certain functions to improve member experience.
It’s unlikely your mobile app has ads, beyond internal banners for financial services. A lot of others do. While I get that a “free internet” needs ads to fund it, we can do better.
Rogue ads that get into rotation on services like Google’s Double-click or Adsense networks can cause issues. They may collect data and send it back to sites for distributing malware, phishing messages, and more.
Even apps without ads might have some form of tracking. Under the guise of “analytics”, some apps collect a large amount of usage data. Why? To sell it, of course! That new Apple privacy feature? It’ll stop this. Thank goodness.
Just make sure when you open an app (after updating to iOS 14.5), tap “Ask Not To Track”. Done! Moving forward, you can always look at an iPhone app’s Privacy Label in the App Store to see what data they use to track you.
So what might an app be learning from your use? In other words, what do they consider “analytics”? Here’s just a few items included in Apple’s Privacy Label (all are included in LinkedIn to track you):
- Precise/Coarse Location
- All contact information
- Advertising data (if you’ve ever tapped an ad, commented, liked, or just looked at one for any length of time)
- Product interaction (literally how you swipe, tap, linger, and otherwise behave in an app)
- Also, what you’ve typed (or potentially written, then erased) inside the app
- Text messages
- “Other data types” (so, assume everything not already mentioned)
For this and more, you can always check Apple’s App Privacy labels in their store. In addition, they will soon allow you to disable tracking (which has a few big data scrapers up in arms…it’s delightful): App Tracking Transparency.
If you handle the IT for your credit union, learn how Privacy Badger supports enterprise deployment and configuration. This lets you protect all your connected systems through unified management and can help prevent malware entering your network.
3rd Party Cookies
Cookies again? Yes. They’re not just for the website you’re visiting. 3rd party cookies, which I’ve been blocking for many years (it’s a simple browser setting), track you across the internet.
These are one of the tools advertisers use to show ads for that beach chair you looked at a week ago on every other site. And it’s going away.
Google recently announced they’re removing support for 3rd party cookies in Chrome by 2022. So no more ads? Not quite.
First, this only affects Chrome (~60% of desktop browsers in US). Firefox and Safari blocked 3rd party cookies by default for a while now. Second, it doesn’t affect their own ads. Why?
Because if you’re using the (Google) Chrome browser, they’ve already got all the tracking data they need. This change won’t hurt them one bit. In fact…
In my opinion, Google is doing this to build their own business. They’re making it harder for other advertisers to gather data, while ensuring they’ll have the most personalized ads to display.
Why would your credit union care about this change? Well, it affects your marketing strategy. If you’ve been using targeted ads across the web, it may require a rethink.
How to deal with this upcoming change? Connect with members. Produce great content. Share on social media. Use e-mail, text (SMS), and notifications, when appropriate. Don’t just say you’re unique. Be it.
Finding this balance between “invading” privacy (through any means) and providing a useful service is a challenge.
It’s also essential to your future. At the same time, norms regarding what information can be shared is changing.
People are now ok with some forms of data exchange (I give you my information for this service).
My intention in this post was to expose you to just some of the methods in use today for tracking. And give you something to think about regarding member privacy.
Part 2 Dives Deeper
We went far enough today. This topic can cover books and still just scratch the surface. It’s changing all the time, both on the tools at your disposal and the strategies taken to get more data.
The second part of this Privacy Guide is going to look at individual risks. We will review privacy settings on phones, discuss some recent hacks that will make you rethink posting “Public”, and preventative tools to lock down your online and real-world presence.
Why, as a credit union, would you care about these things? Great question. First, you’re a person, which means all this applies to you, too. Plus, as a credit union, you aim to protect members’ financial lives.
We will also look at ways your credit union can share information to enhance the member experience. You won’t be alone; it’s already a big deal.
Data is a huge part of every aspect of life. We must ensure it’s moved, secured, and treated with care.
Be sure to Subscribe to CU Geek so you don’t miss any posts! Also, follow me on Twitter, where I share all sorts of intriguing content. And geek out about Doctor Who. Team TARDIS for life!